#!/usr/bin/env bash

# {{ ansible_managed }}

# This script is being created with mode 0755 intentionally. This is so that the
#  script can be executed by root to rotate the keys as needed. The script being
#  executed will always change it's user context to the keystone user before
#  execution and while the script may be world read/executable its contains only
#  the necessary bits that are required to run the rotate and sync commands.

function autorotate {
    # Rotate the keys
    /usr/bin/keystone-manage fernet_rotate \
                                       --keystone-user "{{ keystone_system_user_name }}" \
                                       --keystone-group "{{ keystone_system_group_name }}"
    {% for host in groups['keystone'] %}

    {% if inventory_hostname != host %}

    # Fernet sync job to "{{ host }}"
    scp -o UserKnownHostsFile=/dev/null \
        -o StrictHostKeyChecking=no \
        $(ls -dtr {{ keystone_fernet_tokens_key_repository }}/* | sort -Vr) \
        {{ keystone_system_user_name }}@{{ hostvars[host]['ansible_host'] }}:{{ keystone_fernet_tokens_key_repository }}/

    rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' \
          -avz \
          --delete \
          {{ keystone_fernet_tokens_key_repository }}/ \
          {{ keystone_system_user_name }}@{{ hostvars[host]['ansible_host'] }}:{{ keystone_fernet_tokens_key_repository }}/

    {%- endif %}

    {%- endfor %}

}

if [ "$(id -u)" == "0" ];then
# Change the script context to always execute as the "{{ keystone_system_user_name }}" user.
su - "{{ keystone_system_user_name }}" -s "/bin/bash" -c bash << EOC
    {{ keystone_fernet_auto_rotation_script }}
EOC
elif [ "$(whoami)" == "{{ keystone_system_user_name }}" ];then
    logger $(autorotate)
else
    echo "Failed - you do not have permission to rotate, or you've executed the job as the wrong user."
    exit 99
fi
